[TriLUG] FTP servers
Tanner Lovelace
lovelace at wayfarer.org
Mon Sep 16 22:55:51 EDT 2002
On Mon, 2002-09-16 at 20:59, Thomas C. Meggs wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> I've never heard of pureFTP, but I have definitely heard of ProFTPD.
> Check out the Bugtraq archives, it has a history riddled with security
> problems, along with WU-FTPD. I believe what's being reccommended now by
> a lot of Bugtraq folks is NcFTPD. Running a service that uses plain text
> authentication is bad enough, so I would recommend at least going with
> one where your box won't get root'd without someone having to sniff the
> network. :)
>
> Regards,
> Tom
>
Tom,
So nice of you to just trash something without any references
and then recommend a commercial product. You don't by any chance
own stock in NcFTP do you? (Okay, that was a cheap shot, but
I did wonder...)
For the record, proftpd does *not* have a "history riddled with
security problems." If you want to know about proftp's security,
feel free to search google and look here:
http://www.proftpd.org/security.html
Yes, there have been bugs found. Any complex piece of software will
have bugs. The proftp developers, however, have been proactive
in auditing the code and finding problems and fixing them before they
become widespread exploits. This is no guarantee it's secure, but
it certainly goes a long way towards reassuring this particular
system administrator (not only do we run it for trilug, but I've
run it on my servers for years). (As always, you should have a
comprehensive security policy in place to address things like
cleartext passwords.) Running proftp will not, by itself allow
your box to be "root'd".
Tanner Lovelace
--
Tanner Lovelace | lovelace at wayfarer.org | http://wtl.wayfarer.org/
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
GPG Fingerprint = A66C 8660 924F 5F8C 71DA BDD0 CE09 4F8E DE76 39D4
GPG Key can be found at http://wtl.wayfarer.org/lovelace.gpg.asc
--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--*--
This would be a very good time to hang out with the Open Source
people, before they get formally reclassified as a national security
threat. -- Bruce Sterling
More information about the TriLUG
mailing list